fix(api): handle database validation errors as 400 Bad Request

Add isDBValidationError() helper to detect database validation errors
(Oracle ORA-12899, PostgreSQL "value too long", etc.) and return 400
instead of 500 for /admin/groups endpoint. Also add 400 response
documentation to /oauth2/revoke and /admin/settings/migrate in OpenAPI
spec.

Addresses CATS fuzzing errors where Unicode character expansion attacks
caused 500 errors instead of proper 400 validation responses.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: ericfitz

.version

@@ -1,5 +1,5 @@
 {
   "major": 0,
   "minor": 282,
-  "patch": 3
+  "patch": 4
 }

api-schema/tmi-openapi.json

@@ -37316,6 +37316,43 @@
           },
           "500": {
             "$ref": "#/components/responses/Error"
+          },
+          "400": {
+            "description": "Invalid request body or parameters",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/Error"
+                },
+                "example": {
+                  "error": "invalid_request",
+                  "error_description": "Invalid request body"
+                }
+              }
+            },
+            "headers": {
+              "X-RateLimit-Limit": {
+                "description": "Maximum number of requests allowed in the current time window",
+                "schema": {
+                  "type": "integer",
+                  "example": 1000
+                }
+              },
+              "X-RateLimit-Remaining": {
+                "description": "Number of requests remaining in the current time window",
+                "schema": {
+                  "type": "integer",
+                  "example": 999
+                }
+              },
+              "X-RateLimit-Reset": {
+                "description": "Unix epoch seconds when the rate limit window resets",
+                "schema": {
+                  "type": "integer",
+                  "example": 1735689600
+                }
+              }
+            }
           }
         },
         "security": [

api/admin_group_handlers.go

@@ -3,6 +3,7 @@ package api
 import (
 	"fmt"
 	"net/http"
+	"strings"
 	"time"
 
 	"github.com/ericfitz/tmi/internal/slogging"
@@ -11,6 +12,39 @@ import (
 	openapi_types "github.com/oapi-codegen/runtime/types"
 )
 
+// isDBValidationError checks if a database error is related to validation
+// (e.g., string too long, invalid characters, encoding issues).
+// These should be returned as 400 Bad Request rather than 500 Internal Server Error.
+func isDBValidationError(err error) bool {
+	if err == nil {
+		return false
+	}
+	errStr := strings.ToLower(err.Error())
+
+	// Oracle errors
+	if strings.Contains(errStr, "ora-12899") || // Value too large for column
+		strings.Contains(errStr, "ora-01461") || // Can bind a LONG value only for insert
+		strings.Contains(errStr, "ora-01704") || // String literal too long
+		strings.Contains(errStr, "ora-22835") { // Buffer too small
+		return true
+	}
+
+	// PostgreSQL errors
+	if strings.Contains(errStr, "value too long") ||
+		strings.Contains(errStr, "invalid byte sequence") ||
+		strings.Contains(errStr, "character with byte sequence") {
+		return true
+	}
+
+	// Generic GORM/SQL errors
+	if strings.Contains(errStr, "data too long") ||
+		strings.Contains(errStr, "string data, right truncation") {
+		return true
+	}
+
+	return false
+}
+
 // ListAdminGroups handles GET /admin/groups
 func (s *Server) ListAdminGroups(c *gin.Context, params ListAdminGroupsParams) {
 	logger := slogging.Get().WithContext(c)
@@ -199,6 +233,14 @@ func (s *Server) CreateAdminGroup(c *gin.Context) {
 				Code:    "duplicate_group",
 				Message: "Group already exists for this provider",
 			})
+		} else if isDBValidationError(err) {
+			// Handle validation errors (e.g., string too long after Unicode expansion)
+			logger.Warn("Group creation failed due to validation error: %v", err)
+			HandleRequestError(c, &RequestError{
+				Status:  http.StatusBadRequest,
+				Code:    "validation_error",
+				Message: "Field value exceeds maximum allowed length or contains invalid characters",
+			})
 		} else {
 			logger.Error("Failed to create group: %v", err)
 			HandleRequestError(c, &RequestError{